A French bill “to better guarantee the right to privacy in the digital age” has implemented the European Directive 2009/136/EC by requiring the data controller to inform the “Data Protection Correspondent” (a person within an organization who could be the controller or someone assisting the controller), or in the absence thereof, the French data protection authority (the Commission Nationale de l’Informatique et des Libertés), of a breach of integrity or confidentiality. Those involved in the breach must also be informed, at least if security breaches are “likely to adversely affect” their personal data. The bill follows the recommendation of the Directive to notify individuals of security breaches for all sectors, not just electronic communications. It was adopted by the French Senate on March 24, 2010 and is currently before the National Assembly.
(A French version of this article is also available in this blog.)
Filed under Cédric Laurant, Comments, Countries, English, EU Law, Europe, European Union, France, Marie-Andrée Weiss · Tagged with Act No. 78-17 of January 6 1978, Act on Data Processing Data Files and Individual Liberties, California, California Office of Privacy Protection, California Security Breach Notification Act, CNIL deliberation No. 81-94 of July 21 1981, Commission nationale de l’informatique et des libertés, contract, contractual clauses, data breach, data confidentiality, data controller, data protection correspondent, data security, data security breaches, EU Directive 2002/58/EC, EU Directive 2009/136/EC, French Data Protection Act, French Data Protection Authority, French National Assembly, French Senate, general IT security measures, personal data, security breach, security breach notification, technological protection measures, unauthorized access, United States
The Article 29 Data Protection Working Party has adopted on July 13, 2010 a report on the EU Data Retention Directive (2006/24/EC). This report is the Working Party’s contribution to the evaluation of the implementation of the Data Retention Directive by the European Commission, which is due by September 15, 2010. The report details the results of a joint inquiry made by the data protection authorities about the compliance, at the national level, with the obligations of telecom providers and Internet service providers with both the Data Retention Directive and articles 6 and 9 of the EU e-Privacy Directive (2002/58/EC).
Filed under Cédric Laurant, English, EU Law, Europe, European Union, Marie-Andrée Weiss, Outlines, Reports & Surveys · Tagged with access control, access request, Article 29 Data Protection Working Party, authentication, back-up, biometrics, cloud computing, cloud computing system, confidentiality, contractual clauses, Council of Europe Recommendation R(87)15, data deletion, data security, data security breaches, data security principles, digital signature, dual authentication, encryption, EU Data Retention Directive, EU Directive 95/46/EC, EU e-Privacy Directive, European Commission, European data protection authorities, external audit, handover procedures, in-house policies, integrity, law enforcement authorities, LEA-accessible systems, log integrity, log retention, logs, mutual assistance and cooperation, mutual authentication, non-repudiation, outsourcing, password, personal data, retained data, retention period, security audit, security certification, security policy, security standards, self-regulation, sensitive information, sensitive personal information, system administrator, system maintenance, technical and organizational security measures, third party certification, tracking, traffic data, warrant
On April 29, 2010, the Düsseldorfer Kreis, an informal group of German data protection authorities, published a decision that could have significant repercussions on U.S. companies importing personal data from organizations operating in the European Union. One of these repercussions is that German organizations exporting personal data to the United States should check if the U.S. data importer does indeed comply with the Safe Harbor Framework. Security plan recommendations will provide for a useful guideline to E.U. data exporters to help them comply with the Safe Harbor’s Security Principle.
Filed under Cédric Laurant, Comments, English, EU Law, Europe, European Union, Germany, Marie-Andrée Weiss, North America, United States · Tagged with adequacy requirement, adequate level of data protection, Article 25 (EU DP Dir.), Article 26(2) (EU DP Dir.), Article 29 Data Protection Working Party, Best Buy, Binding corporate rules, Bundesdatenschutzgesetz, co-regulation, contractual clauses, data exporter, data importer, data security breaches, data security plan, Düsseldorfer Kreis, DSW, due diligence, encryption, EU Directive 95/46/EC, European Commission, European data protection authorities, German Federal Data Protection Act, Germany, independent auditing firm, information security, ISO, ISO 27000, loss, misuse, personal data, personally identifying information, privacy policy, RealNetworks, reasonable security measures, Safe Harbor Framework, Safe Harbor Security Principle, Safe Harbor self-certification, Safe Harbor self-certified organizations, self-regulation, sensitive personal information, third countries, transborder data flows, unfair and deceptive practice, US Department of Commerce, US Department of Transportation, US False Statements Act, US Federal Trade Commission, US Food and Drug Administration
Will France adopt a law requiring the notification of security breaches?
Posted by "Security Breaches" Administrator on August 6, 2010 · 3 Comments
A French bill “to better guarantee the right to privacy in the digital age” has implemented the European Directive 2009/136/EC by requiring the data controller to inform the “Data Protection Correspondent” (a person within an organization who could be the controller or someone assisting the controller), or in the absence thereof, the French data protection authority (the Commission Nationale de l’Informatique et des Libertés), of a breach of integrity or confidentiality. Those involved in the breach must also be informed, at least if security breaches are “likely to adversely affect” their personal data. The bill follows the recommendation of the Directive to notify individuals of security breaches for all sectors, not just electronic communications. It was adopted by the French Senate on March 24, 2010 and is currently before the National Assembly.
(A French version of this article is also available in this blog.)
Rate this:
Filed under Cédric Laurant, Comments, Countries, English, EU Law, Europe, European Union, France, Marie-Andrée Weiss · Tagged with Act No. 78-17 of January 6 1978, Act on Data Processing Data Files and Individual Liberties, California, California Office of Privacy Protection, California Security Breach Notification Act, CNIL deliberation No. 81-94 of July 21 1981, Commission nationale de l’informatique et des libertés, contract, contractual clauses, data breach, data confidentiality, data controller, data protection correspondent, data security, data security breaches, EU Directive 2002/58/EC, EU Directive 2009/136/EC, French Data Protection Act, French Data Protection Authority, French National Assembly, French Senate, general IT security measures, personal data, security breach, security breach notification, technological protection measures, unauthorized access, United States